W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

WWW-Authenticate ABNF is ambiguous

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 06 Aug 2011 21:06:55 +0200
Message-ID: <4E3D90CF.3040506@gmx.de>
To: HTTP Working Group <ietf-http-wg@w3.org>
Hi,

so the ABNF is:

WWW-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS challenge ] )
challenge = auth-scheme 1*SP *( "," OWS ) auth-param *( OWS "," [ OWS
  auth-param ] )

Example:

   Basic realm="foo", , Otherscheme realm="bar"

This can be parsed as either three challenges:

1: Basic realm="foo"
2:
3: Otherscheme realm="bar"

or as two challenges:

1: Basic realm="foo",
2: Otherscheme realm="bar"

...where the first challenge has a list of auth-params where the first 
one is the realm, and the second one is empty.

In practice, this doesn't affect the semantics of the header field, but 
it *does* affect parser construction.

Best regards, Julian

(writing this down and sending it to the list because I just wasted a 
lot of time trying to find a problem somewhere else)
Received on Saturday, 6 August 2011 19:07:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:46 GMT